diff options
Diffstat (limited to 'doc/sync/notrack/conntrackd.conf')
-rw-r--r-- | doc/sync/notrack/conntrackd.conf | 120 |
1 files changed, 55 insertions, 65 deletions
diff --git a/doc/sync/notrack/conntrackd.conf b/doc/sync/notrack/conntrackd.conf index 34e7b32..71946ec 100644 --- a/doc/sync/notrack/conntrackd.conf +++ b/doc/sync/notrack/conntrackd.conf @@ -4,6 +4,17 @@ Sync { Mode NOTRACK { # + # Size of the resend queue (in objects). This is the maximum + # number of objects that can be stored waiting to be confirmed + # via acknoledgment. If you keep this value low, the daemon + # will have less chances to recover state-changes under message + # omission. On the other hand, if you keep this value high, + # the daemon will consume more memory to store dead objects. + # Default is 131072 objects. + # + # ResendQueueSize 131072 + + # # This parameter allows you to set an initial fixed timeout # for the committed entries when this node goes from backup # to primary. This mechanism provides a way to purge entries @@ -26,14 +37,19 @@ Sync { # # PurgeTimeout 60 + # Set the acknowledgement window size. If you decrease this + # value, the number of acknowlegdments increases. More + # acknowledgments means more overhead as conntrackd has to + # handle more control messages. On the other hand, if you + # increase this value, the resend queue gets more populated. + # This results in more overhead in the queue releasing. + # The following value is based on some practical experiments + # measuring the cycles spent by the acknowledgment handling + # with oprofile. If not set, default window size is 300. # - # This clause allows you to disable the internal cache. Thus, - # the synchronization messages are directly send through - # the dedicated link. This option is set of off by default. - # - # DisableInternalCache Off + # ACKWindowSize 300 - # + # # This clause allows you to disable the external cache. Thus, # the state entries are directly injected into the kernel # conntrack table. As a result, you save memory in user-space @@ -57,33 +73,33 @@ Sync { # iptables -I INPUT -d 225.0.0.50 -j ACCEPT # iptables -I OUTPUT -d 225.0.0.50 -j ACCEPT # - Multicast { + # Multicast { # # Multicast address: The address that you use as destination # in the synchronization messages. You do not have to add # this IP to any of your existing interfaces. If any doubt, # do not modify this value. # - IPv4_address 225.0.0.50 + # IPv4_address 225.0.0.50 # # The multicast group that identifies the cluster. If any # doubt, do not modify this value. # - Group 3780 + # Group 3780 # # IP address of the interface that you are going to use to # send the synchronization messages. Remember that you must # use a dedicated link for the synchronization messages. # - IPv4_interface 192.168.100.100 + # IPv4_interface 192.168.100.100 # # The name of the interface that you are going to use to # send the synchronization messages. # - Interface eth2 + # Interface eth2 # The multicast sender uses a buffer to enqueue the packets # that are going to be transmitted. The default size of this @@ -94,10 +110,8 @@ Sync { # notice some packet loss, you may want to increase the size # of the sender buffer. The default size is usually around # ~100 KBytes which is fairly small for busy firewalls. - # Note: This protocol is best effort, it is really recommended - # to increase the buffer size. # - SndSocketBuffer 1249280 + # SndSocketBuffer 1249280 # The multicast receiver uses a buffer to enqueue the packets # that the socket is pending to handle. The default size of this @@ -106,20 +120,18 @@ Sync { # receiver queue. The overrun results packet loss, thus, losing # state information that would have to be retransmitted. If you # notice some packet loss, you may want to increase the size of - # of the sender buffer. The default size is usually around + # the receiver buffer. The default size is usually around # ~100 KBytes which is fairly small for busy firewalls. - # Note: This protocol is best effort, it is really recommended - # to increase the buffer size. # - RcvSocketBuffer 1249280 + # RcvSocketBuffer 1249280 - # + # # Enable/Disable message checksumming. This is a good # property to achieve fault-tolerance. In case of doubt, do # not modify this value. # - Checksum on - } + # Checksum on + # } # # You can specify more than one dedicated link. Thus, if one dedicated # link fails, conntrackd can fail-over to another. Note that adding @@ -192,60 +204,37 @@ Sync { # Checksum on # } - # - # You can also use Unicast TCP to propagate events. Thus, the NOTRACK - # mode becomes reliable. - # - # TCP { - # - # TCP address that this firewall uses to listen to events. - # - # IPv4_address 192.168.2.100 - # - # or you may want to use an IPv6 address: - # - # IPv6_address fe80::215:58ff:fe28:5a27 - - # - # Destination TCP address that receives events, ie. the other - # firewall's dedicated link address. + TIPC { # - # IPv4_Destination_Address 192.168.2.101 + # Name of the other TIPC port in the cluster (in the form type:instance) # - # or you may want to use an IPv6 address: + TIPC_Destination_Name 1000:51 + # - # IPv6_Destination_Address fe80::2d0:59ff:fe2a:775c - + # Name of the local TIPC port (used to listen to events) # - # TCP port used - # - # Port 3780 + TIPC_Name 1000:50 # - # The name of the interface that you are going to use to - # send the synchronization messages. - # - # Interface eth2 - - # - # The sender socket buffer size + # The name of the TIPC configured interface that you are going to use + # to send synchronization messages. # - # SndSocketBuffer 1249280 - + Interface eth0 + # - # The receiver socket buffer size + # The importance of the TIPC messages sent (the more important this is, the more packets will be enabled to queue up on the slave) + # This should be set to High or Critical to avoid congestion on the receiver side. + # (possible values : TIPC_LOW_IMPORTANCE, TIPC_MEDIUM_IMPORTANCE, TIPC_HIGH_IMPORTANCE, TIPC_CRITICAL_IMPROTANCE) # - # RcvSocketBuffer 1249280 + TIPC_Message_Importance TIPC_CRITICAL_IMPORTANCE - # - # Enable/Disable message checksumming. # - # Checksum on - # } + # Current TIPC implementation doesnt allow checksumming + } - # + # # Other unsorted options that are related to the synchronization. - # + # # Options { # # TCP state-entries have window tracking disabled by default, @@ -259,9 +248,9 @@ Sync { # you want to enable. Default is off. # # ExpectationSync { - # ftp - # h323 - # sip + # ftp + # h323 + # sip # } # # You can use this alternatively: @@ -368,6 +357,7 @@ General { # # NetlinkOverrunResync On + # # If you want reliable event reporting over Netlink, set on this # option. If you set on this clause, it is a good idea to set off # NetlinkOverrunResync. This option is off by default and you need |